My Lords, I draw your Lordships’ attention to my entry in the register of interests, particularly my association with and employment by the Nuclear Threat Initiative, a US-based think tank. I congratulate the noble Viscount, Lord Waverley, on securing this debate and commend him for corralling this massive topic into a 15-minute speech. I congratulate him also on the breadth of the Motion before your Lordships’ House. I am particularly pleased because it allows me to return specifically to a topic that is a minor obsession of mine: the scale and complexity of the cyber threat to major weapons systems, including our nuclear deterrent.
The first step in solving any problem is admitting there is one. That, of course, picks up the theme that a number of noble Lords have referred to. The value of this debate is in raising awareness, and I hope to raise awareness of some threats. It will be difficult for us to engage with them, but I have some ideas about that as well.
Although I have been aware of this threat for some time, I first tentatively raised the issue publicly in January 2013 following the report of the Defense Science Board of the US Department of Defense, Resilient Military Systems and the Advanced Cyber Threat. The top line of that report is, in short:
Critical IT systems in this context include nuclear weapons systems, and the board knew that cyber was a threat to this, because it had red teamed it in the United States. The task force went on to say that its lack of confidence applied also to the weapons systems of allies and rivals. The UK is, of course, an ally of the United States, and so that sparked my attention.
In addressing this issue, I have always been measured in my comments, mindful of my noble friend Lord West’s concern that people can get into scaremongering in this environment. But these are existential threats, and there is nothing scarier in my view. Drawing on the specific recommendations of the report, I reminded the then Ministers that they had an obligation to assure us that all parts of the nuclear deterrent had been assessed against the risk of cyberattack and that protections were in place. I explained that, if they were unable to do that, there was no guarantee that we would, in the future, have a reliable deterrent. Quite simply, a deterrent works on the basis that it is a live threat; if a rival knows that they can defeat the deterrent or prevent it being deployed, it does not work.
In 2015, in the run-up to the Trident debate, I repeated this request in the hope that cybersecurity would emerge as part of the debate on our commitment for the next 50 years, apparently, to a deterrent-based approach to nuclear weapons. The response to my reference to a 146-page report of recommendations and appendices was depressingly familiar and platitudinous. I was told publicly that Trident was safe because it was “air-gapped”. The argument appears to be that, because these weapons are deployed in submarines under the water, they cannot be threatened by cyber. This is a complete misunderstanding of the cyber threat and a misrepresentation of the facts. Most of these boats are not at sea all the time: they are hooked up to other systems for a significant period and spend three months or slightly more at sea. But that is what I was told.
In the reporting of my comments by the BBC, a Ministry of Defence spokesperson, while understandably refusing to comment on the details of security for the nuclear deterrent, assured the country that,
“we can and will safeguard it from any cyber threat”.
I know of no expert who would ever give such a comprehensive assurance about anything, but that is what was publicly stated. The spokesperson went on to say:
“We are investing more than ever before on the UK’s defensive and offensive cyber capabilities. Last week the Chancellor outlined a plan for £1.9bn in cyber investment”.
So, essentially, “Move on, there is nothing to see here”.
Thankfully, that is not the US attitude to this. The United States is a much more open society than we are in relation to these issues. I know that is to do with its constitution and the accountability of the Administration to Congress, but the irony of my interest in this is that I can find out much more about these issues in publications in the United States than I can here. That is not proper accountability, but that is an argument for another day.
The Defense Science Board task force on cyber continued its work and produced a final report in December 2017. I do not have time today, even with the 12 minutes that I have, to go into it in any detail but, four years on, the report continues to challenge UK complacency, concluding that Russia and China had significant and increasing ability to hold US critical infrastructure at risk and growing capability through cyber-attack to thwart military response—in other words, to defeat deterrence.
In July 2015, the other place debated the renewal of Trident, but cybersecurity was virtually absent from the debate. Since then, in updates to Parliament by the Government on the renewal programme, no mention has ever been made of cybersecurity and it has never been fully debated in Parliament or even engaged the Defence Select Committee’s attention. I cannot find any statement by a member of the Cabinet on this issue and, shamefully, Parliament has also been broadly silent on this issue.
External reports continue to be published identifying this and they are always met with the same bland assurances and comments. For example, in 2018 Chatham House published a report, Cybersecurity of Nuclear Weapons Systems: Threats Vulnerabilities and Consequences. Again, the Ministry of Defence response came in the form of a statement from an anonymous spokesperson. Apparently, the MoD has,
“absolute confidence in our robust measures to keep the nuclear deterrent safe and secure”,
invests significant resources into regularly assuring its protection against cyberattacks and other threats, and again we were reminded that the UK,
“takes cyber security very seriously across the board, doubling its investment in the area to £1.9bn”.
In every case where this £1.9 billion is quoted, it is never said by any of the anonymous spokespersons that this money was committed in 2015 for five years of cybersecurity for every aspect of government. I am assured by experts with whom I worked closely during my time in the United States that is an inadequate amount of investment given the scale of the challenge to our weapons systems.
Until April last year, for three years I lived and worked for the NTI in the US. There I found in government, Congress and the expert community more awareness of the threat to our military systems than here in the UK. In the US, NTI brought together high-level former senior military and government officials, policy experts and cybersecurity experts to form a cyber nuclear weapons study group. I co-chaired this group with former Senator Sam Nunn and former Secretary Ernest Moniz. The group examined the implications of cyber threats to nuclear weapons and related systems and developed a set of options for policies, postures and doctrines that will reduce this risk.
The NTI study group report was published last month. The ink was not long dry on it when, on
The report concludes that the department,
“likely has an entire generation of systems that were designed and built without adequately considering cybersecurity”.
Specifically, the report states that:
“from 2012 to 2017, DOD testers routinely found mission-critical cyber vulnerabilities in nearly all weapon systems that were under development. Using relatively simple tools and techniques, testers were able to take control of these systems and largely operate undetected”.
They were able to guess a password on a weapons system in nine seconds, access weapon systems where open source or commercial software had been installed and the installer failed to change the default passwords, partially shut down a weapons system simply by scanning it—a technique so basic that it apparently “requires little knowledge or expertise”—and take control of some weapons. In one case, a two-person team took just one hour to gain initial access to a weapon system and one day to gain full control of the system. They could also access and stay in a weapons system for weeks, during which time the DoD never found them despite the testers being intentionally “noisy”. In other cases, automated systems detected the testers, but the humans responsible for monitoring those systems did not understand what the system was trying to tell them.
The GAO estimates that the vulnerabilities the DoD knows about likely comprise a small proportion of the risks in their systems. The tests leave out whole categories of potential problem areas such as industrial control systems, devices that do not connect to the internet and counterfeit parts. This unclassified report is about a classified matter and consequently refers to various systems without identifying them. I will come back to that important point in a moment.
Further, the report underscores a troubling disconnect between how vulnerable DoD weapons systems are and how secure DoD officials believe they are. This echoes what I am told in the United Kingdom. The officials who oversee the systems appear dismissive of the results, not understanding that when they dismiss these results, they are dismissing testing from their own department. The GAO did not conduct any tests; it audited the assessments of DoD testing teams. In some cases, officials indicated that their systems were secure, including systems that had not had a cybersecurity assessment.
In its findings, the GAO describes the DoD as only “beginning to grapple” with the importance of cybersecurity and the scale of vulnerabilities in its weapons systems. Public reporting of this report describes this as a “wake-up call” for the DoD. It should be a wake-up call for us too. We have almost certainly bought and deployed some of these weapons systems. We have certainly bought and installed in our weapons systems software programmes, the testing of which has informed this report.
Essentially, I have two questions for the Government. When are we going to have a proper debate, in government time, on the cyber threat to and cybersecurity of our weapons systems, including the deterrent? Now that this GAO report has been published, what steps are the Government taking to follow up on the implications of this report for our military capabilities with the US Government and the DoD in particular?